The encoding on the shellcode uses a method similar to Shakita Ga Nai encoding.
I would also like to thank Denis O’Brien @Malwageddon for pointing me to this video on how to set up the vm to use X86Dbg to load when the equation editor loaded.
I would also like to thank him for giving me the tip of setting a break point at 0x00411874 on the return instruction for the font record. This can get you close to where you need to be but then you have to step thru from there.
Also this blog post had some helpful information on breakpoints that helped while trying to run this with the debugger attached.
Before we jump into the debugger let take a look at the file and extract the shellcode.
When we first open the file we see
Here we can see it is a zip file so lets just unzip it to get the file structure.
Let’s look in the “xl” folder.
Now we need embeddings.
Let take a look at this file in a hex editor.
This is an OLE file so we can just use 7Zip to extract the contents.
This a Ole0Native binary file so lets see what is in this.
By the looks of this. It does not appear to have any other headers so this is our shellcode that gets run.
Lets copy all of the data here and drop it into CyberChef.
Let’s take a closer look at this in Notepad++ with the colors for assembly.
Now lets do some math at the beginning.
After doing the math here we can refer back to the blog post and see that the result matches Globallock.
So let jump Into the debugger. After getting to the fonts and finding the corrupted one we step thru and find what we are looking for. The Beginning Of our Shellcode.
The values just above notepad are the ones we see in our debugger. Finally on the right track.
After loading Globallock and returning from Kernal32 we end up in a series of jumps.
Here I was able to get a graph of the function calls
The Part we need to understand is at the top where it goes into the loop.
Here we can See the value that will be used as a Multiplier.
You can Also see my notes from a previous run the values we need to find.
So After running thru all of this we can find the decoded Shellcode in ECX.
While stepping thru this I also copied the assembly and the current values to a text documents. Lets take a closer look at the flow.
Now we have a better understand of how the decoding works. Here is a more Simple Version.
Now we can build a decoder for this.
We need 3 values that we can get from the Cyberchef output. The Multiply value, the Addition Value And the Length value.
We will look at the length value first.
So now we need to find where this is in the Shellcode we extracted.
As it turns out if we just extract from the end of the shellcode data the amount here 0x2A7 then that is the data we will be decoding.
This is now our encoded shell code. We can copy paste this to the new tool, get the other to values and click a button.
If we are right then you should see the decoded values clearly.
So now we can decode these by extracting the shellcode from the file, copy paste to to Cyberchef to get the Assembly, look for the required parameters and finally input them into the tool and click a button for the result without having to run the file.
Although you can just run them and get the URL where it calls to, this will give you what else in the shellcode and and what API’s are run.
The few different ones I have done have all worked just a bit different under the hood even though they have the same effect of just calling out to some site somewhere and downloading a file.
If you click on the Twitter link to this sample an then click on the CVE- tag at the top it will present you with , at the time of research, 116 pages of files that potentially use this type of encoding.
That’s it for this one. I hope you learned something too.
Links to URL’s in this post:
Twitter Link for this sample
AnyRun Task Link for this sample.
Link to blog post with the different values
Link to the video on how to set up X86Dbg to attach to the Equation editor.
Link to My Github with tool and decoding notes.